Merge pull request #290 from kernelwernel/dev

PCI technique

Author: kernelwernel

auxiliary/add_technique.py

@@ -247,9 +247,14 @@ def write_header(options):
                 technique_details.append("@link " + options.link)
 
             technique_details.append("@category " + category_str)
-            technique_details.append("@note " + options.notes)
+
+            if options.notes != "":
+                technique_details.append("@note " + options.notes)
+
             if options.is_gpl:
                 technique_details.append("@copyright GPL-3.0")
+
+            technique_details.append("@implements VM::" + options.enum_name)
 
             # modify the technique details prefix comments 
             # depending on whether it's GPL or not
@@ -317,7 +322,7 @@ def write_header(options):
                     str(options.score) + 
                     ", VM::" + 
                     options.function_name +
-                    ", false } },\n"
+                    " } },\n"
                 )
             update_count += 1
 

docs/documentation.md

@@ -516,6 +516,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::UNKNOWN_MANUFACTURER` | Check if the CPU manufacturer is not known |  | 50% |  |  |  |  |
 | `VM::OSXSAVE` | Check if running xgetbv in the XCR0 extended feature register triggers an exception | Windows | 50% |  |  |  |  |
 | `VM::NSJAIL_PID` | Check if process status matches with nsjail patterns with PID anomalies | Linux | 75% |  |  |  |  |
+| `VM::PCI_VM` | Check for PCIe bridge names for known VM keywords and brands | Linux | 100% |  |  |  |  |
 <!-- ADD TECHNIQUE DETAILS HERE -->
 
 <br>

src/cli.cpp

@@ -389,6 +389,7 @@ bool is_unsupported(VM::enum_flags flag) {
 			case VM::FILE_ACCESS_HISTORY:
             case VM::UNKNOWN_MANUFACTURER:
 			case VM::NSJAIL_PID:
+			case VM::PCI_VM:
             // ADD LINUX FLAG
             return false;
             default: return true;
@@ -996,6 +997,7 @@ void general() {
     checker(VM::UNKNOWN_MANUFACTURER, "unknown manufacturer ids");
     checker(VM::OSXSAVE, "xgetbv");
 	checker(VM::NSJAIL_PID, "nsjail PID");
+	checker(VM::PCI_VM, "PCIe bridge ports");
     // ADD NEW TECHNIQUE CHECKER HERE
 
     std::printf("\n");

src/vmaware.hpp

@@ -577,6 +577,7 @@ struct VM {
         UNKNOWN_MANUFACTURER,
         OSXSAVE,
 		NSJAIL_PID,
+		PCI_VM,
         // ADD NEW TECHNIQUE ENUM NAME HERE
 
         // start of settings technique flags (THE ORDERING IS VERY SPECIFIC HERE AND MIGHT BREAK SOMETHING IF RE-ORDERED)
@@ -10205,6 +10206,52 @@ struct VM {
 #endif
 	}
 
+
+	/**
+	 * @brief Check for PCIe bridge names for known VM keywords and brands
+	 * @category Linux
+     * @implements VM::PCI_VM
+     */
+    [[nodiscard]] static bool lspci() {
+#if (!LINUX)
+        return false;
+#else
+        if (!(
+            (util::exists("/usr/bin/lspci")) || 
+            (util::exists("/bin/lspci")) ||
+            (util::exists("/usr/sbin/lspci"))
+        )) {
+            debug("PCI_VM: ", "binary doesn't exist");
+            return false;
+        }
+
+        const std::unique_ptr<std::string> result = util::sys_result("lspci 2>&1");
+    
+        if (result == nullptr) {
+            debug("PCI_VM: ", "invalid stdout output from lspci");
+            return false;
+        }
+    
+        const std::string full_command = *result;
+    
+        auto pci_finder = [&](const char* str) -> bool {
+            if (util::find(full_command, str)) { 
+                debug("PCI_VM: found ", str);
+                return true;
+            } else {
+                return false;
+            }
+        };
+    
+        if (pci_finder("QEMU PCIe Root port")) { return core::add(brands::QEMU); }
+        if (pci_finder("QEMU XHCI Host Controller")) { return core::add(brands::QEMU); }
+        if (pci_finder("QXL paravirtual graphic card")) { return core::add(brands::QEMU); }
+        if (pci_finder("Virtio")) { return true; } // could be used by a lot of brands, who knows
+
+        return false;
+#endif
+    }
+
     // ADD NEW TECHNIQUE FUNCTION HERE
 
 
@@ -11226,6 +11273,7 @@ struct VM {
             case UNKNOWN_MANUFACTURER: return "UNKNOWN_MANUFACTURER";
             case OSXSAVE: return "OSXSAVE";
 			case NSJAIL_PID: return "NSJAIL_PID";
+			case PCI_VM: return "PCI_VM";
             // ADD NEW CASE HERE FOR NEW TECHNIQUE
             default: return "Unknown flag";
         }
@@ -11813,6 +11861,7 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
     { VM::UNKNOWN_MANUFACTURER, { 50, VM::unknown_manufacturer } },
     { VM::OSXSAVE, { 50, VM::osxsave } },
 	{ VM::NSJAIL_PID, { 75, VM::nsjail_proc_id } },
+	{ VM::PCI_VM, { 100, VM::lspci } },
     // ADD NEW TECHNIQUE STRUCTURE HERE
 };